Create side by side IPsec tunnels using two or more VNS3 Controllers. Use either NAT-Traversal or Native IPsec methods to configure a secure tunnel you control to endpoints you specify in public, private, or hybrid clouds.

1. © 2016
VNS3 IPsec Side by Side
Connecting two or more VNS3 Controller Instances via IPsec
2016

2. © 2016
Requirements and Restrictions
2
You have access to two or more VNS3 controller instances
The VNS3 controller instances are running in non-overlapping VLANs (e.g. VPC Subnets,
Google Networks, etc.) and non-overlapping VNS3 Overlay Subnets
Side-by-side IPsec connections can connect two VNS3 topologies using the Overlay
Network in all clouds
Connecting underlying unencrypted VLANs is restricted to Cloud environments that
provided both packet forwarding features and route table controls to enable VNS3
controller instances as the router/switch for packets being sent to a connected
environment

3. © 2016
Using NAT-Traversal Encapsulation
3

4. © 2016
Topology Setup
4
For the purpose of this example the IPsec tunnel connection
will be made between VNS3 Controller Instance A (VNS3-A)
and VNS3 Controller Instance B (VNS3-B). Note the topology
name in the screenshots.
Both VNS3 controller instances are configured with a
different/non-overlapping Overlay Subnet and are running in
a different/non-overlapping VLAN. Our example setup is:
VNS3-A
Overlay Subnet: 172.31.10.0/24
VLAN: 192.168.200.0/24
VNS3-B
Overlay Subnet: 172.31.11.0/24
VLAN: 192.168.201.0/24
NOTE: NAT-Traversal IPsec requires UDP 500 and 4500
access between the two VNS3 Controller instances.

5. © 2016
Change VNS3 Local Private IP
5
When connecting two VNS3 topologies using NAT-
Traversal IPsec, the local private IP address is required in
the Endpoint definitions. The default value of
192.0.2.254 must be changed on one of the VNS3
controller instances as the overlap will preview the
tunnel from fully negotiating.
NOTE: the Local private IP address should be unique
among all VNS3 Controllers in that Controller’s topology
and must not be inside the topology's data subnet.
Change the Local private IP address on VNS3-B to
192.0.2.253.
Click IPsec and eBGP under the Connections left menu.
Click Change next the the Local private IP address.
On the resulting page enter 192.0.2.253 in the New local
IP address field.
Click Save changes.

6. © 2016
VNS3-A: Create a New Endpoint
6
On VNS3-A click Define new remote endpoint.
Enter a name for the connection to VNS3-B.
Enter the VNS3-B controller instance's Public IP
address in the Enter Internet IP address for this endpoint
field.
Enter a PSK in the Preshared Key fields.
Enter the VNS3-B controller instance's Local private
IP (see previous page) in the NAT IP field.
Click the Enable PFS checkbox (optional but
recommended).
Enter any IPsec parameters needed in the Extra
configuration parameters field. This can be left blank to
allow VNS3 to auto negotiate. These parameters need
to match both sides to allow the tunnel to negotiate.
Click Save.

7. © 2016
VNS3-A: Create a New Tunnel
7
On VNS3-A, click New tunnel next to the
newly created endpoint definition.
Enter the VNS3-A Overlay Subnet in the
Local subnet field.
Enter the VNS3-B Overlay Subnet in the
Remote subnet field.
Enter a descriptive name in the Name field.
Click Create.

8. © 2016
VNS3-B: Create a New Endpoint
8
On VNS3-B click Define new remote endpoint.
Enter a name for the connection to VNS3-A.
Enter the VNS3-A controller instance's Public IP
address in the Enter Internet IP address for this
endpoint field.
Enter a PSK in the Preshared Key fields.
Enter the VNS3-A controller instance's Local private IP
in the NAT IP field.
Click the Enable PFS checkbox (optional but
recommended).
Enter any IPsec parameters needed in the Extra
configuration parameters field. This can be left blank to
allow VNS3 to auto negotiate. These parameters need
to match both sides to allow the tunnel to negotiate.
Click Save.

9. © 2016
VNS3-B: Create a New Tunnel
9
On VNS3-B, click New tunnel next to the
newly created endpoint definition.
Enter the VNS3-B Overlay Subnet in the
Local subnet field.
Enter the VNS3-A Overlay Subnet in the
Remote subnet field.
Enter a descriptive name in the Name field.
Click Create.

10. © 2016
Connected
10

11. © 2016
Using Native IPsec
11

12. © 2016
Topology Setup
12
For the purpose of this example the IPsec tunnel connection
will be made between VNS3 Controller Instance A (VNS3-A)
and VNS3 Controller Instance B (VNS3-B). Note the topology
name in the screenshots.
Both VNS3 controller instances are configured with a
different/non-overlapping Overlay Subnet and are running in
a different/non-overlapping VLAN. Our example setup is:
VNS3-A
Overlay Subnet: 172.31.10.0/24
VLAN: 192.168.200.0/24
VNS3-B
Overlay Subnet: 172.31.11.0/24
VLAN: 192.168.201.0/24
NOTE: Native IPsec requires UDP 500 and Protocol 50 (ESP)
access between the two VNS3 Controller instances.

13. © 2016
Change VNS3 Local Private IP
13
Disable NAT-Traversal on both VNS3-A and
VNS3-B.
Click IPsec and eBGP under the Connections
left menu.
Click Toggle next to NAT-Traversal to disable.

14. © 2016
VNS3-A: Create a New Endpoint
14
On VNS3-A click Define new remote endpoint.
Enter a name for the connection to VNS3-B.
Enter the VNS3-B controller instance's Public IP
address in the Enter Internet IP address for this endpoint
field.
Enter a PSK in the Preshared Key fields.
Leave the NAT IP field blank.
Click the Enable PFS checkbox (optional but
recommended).
Enter any IPsec parameters needed in the Extra
configuration parameters field. This can be left blank to
allow VNS3 to auto negotiate. These parameters need
to match both sides to allow the tunnel to negotiate.
Click Save.

15. © 2016
VNS3-A: Create a New Tunnel
15
On VNS3-A, click New tunnel next to the
newly created endpoint definition.
Enter the VNS3-A Overlay Subnet in the
Local subnet field.
Enter the VNS3-B Overlay Subnet in the
Remote subnet field.
Enter a descriptive name in the Name field.
Click Create.

16. © 2016
VNS3-B: Create a New Endpoint
16
On VNS3-B click Define new remote endpoint.
Enter a name for the connection to VNS3-A.
Enter the VNS3-A controller instance's Public IP
address in the Enter Internet IP address for this endpoint
field.
Enter a PSK in the Preshared Key fields.
Leave the NAT IP field blank.
Click the Enable PFS checkbox (optional but
recommended).
Enter any IPsec parameters needed in the Extra
configuration parameters field. This can be left blank
to allow VNS3 to auto negotiate. These parameters
need to match both sides to allow the tunnel to
negotiate.
Click Save.

17. © 2016
VNS3-B: Create a New Tunnel
17
On VNS3-B, click New tunnel next to the
newly created endpoint definition.
Enter the VNS3-B Overlay Subnet in the
Local subnet field.
Enter the VNS3-A Overlay Subnet in the
Remote subnet field.
Enter a descriptive name in the Name field.
Click Create.

18. © 2016
Connected
18

19. © 2016
VNS3 Document Links
19
VNS3 Product Resources - Documentation | Add-ons
VNS3 Configuration Document
Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology.
Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building
IPsec tunnels, and connecting client servers to the Overlay Network.
VNS3 Docker Instructions
Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting
application containers.
VNS3 Troubleshooting
Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.